MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98ac0a744497cf22f08ae5e2e49eba547253f7824b2a76ecfd7cf786dd1b34ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98ac0a744497cf22f08ae5e2e49eba547253f7824b2a76ecfd7cf786dd1b34ce
SHA3-384 hash: ced0787524cdbe26358d464481f74a942ca3d96b440e2b79afb5955468bd01df193c1a31c5e23df4bf41a2c7ea8d5cf6
SHA1 hash: 083cdeb1f92b0073e9db107b39b439239cfebff2
MD5 hash: 23a71377b58f082202b467da8c693dc0
humanhash: lactose-utah-pip-social
File name:Quotation.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:161'225 bytes
First seen:2024-03-21 17:12:43 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:OaV5NSZh/awGqU42RvG+q4xgc3RR+vsZbqXRF1kEcVwJbknkxvQqTSTw8aP:XNSn/s42Rvrq4xgc3RR+vYbqXRFtcVw1
TLSH T150F328A3CECA26390F8A1FD9AD51C94285FB41753111107CE6EED7EDA183EAC82FD905
Reporter abuse_ch
Tags:RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30476.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/65fc6aa887137159d44d8ce0/reports/6ff0beb2-ba82-4a40-a704-70822cfb226d/overview
Verdict:
Malicious
Labled as:
Trojan.GenericFCA.Agent
Link:
https://www.hybrid-analysis.com/sample/98ac0a744497cf22f08ae5e2e49eba547253f7824b2a76ecfd7cf786dd1b34ce
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1413423
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1413423 Sample: Quotation.vbs Startdate: 21/03/2024 Architecture: WINDOWS Score: 100 51 johngavin1860.ddns.net 2->51 53 geoplugin.net 2->53 55 delikateschef.co.il 2->55 69 Found malware configuration 2->69 71 Antivirus detection for URL or domain 2->71 73 Multi AV Scanner detection for submitted file 2->73 77 7 other signatures 2->77 11 wscript.exe 1 2->11         started        14 svchost.exe 1 2 2->14         started        signatures3 75 Uses dynamic DNS services 51->75 process4 dnsIp5 85 VBScript performs obfuscated calls to suspicious functions 11->85 87 Suspicious powershell command line found 11->87 89 Wscript starts Powershell (via cmd or directly) 11->89 91 3 other signatures 11->91 17 powershell.exe 16 11->17         started        20 WmiPrvSE.exe 11->20         started        22 WerFault.exe 11->22         started        61 delikateschef.co.il 91.203.144.131, 443, 49715, 49716 GOODNET-ASUA Ukraine 14->61 63 127.0.0.1 unknown unknown 14->63 signatures6 process7 signatures8 65 Suspicious powershell command line found 17->65 67 Very long command line found 17->67 24 powershell.exe 23 17->24         started        27 conhost.exe 17->27         started        process9 signatures10 79 Writes to foreign memory regions 24->79 81 Powershell uses Background Intelligent Transfer Service (BITS) 24->81 83 Found suspicious powershell code related to unpacking or dynamic code loading 24->83 29 wab.exe 5 14 24->29         started        process11 dnsIp12 57 johngavin1860.ddns.net 207.244.237.106, 49721, 49723, 7276 CONTABOUS United States 29->57 59 geoplugin.net 178.237.33.50, 49725, 80 ATOM86-ASATOM86NL Netherlands 29->59 93 Maps a DLL or memory area into another process 29->93 33 cmd.exe 1 29->33         started        35 wab.exe 29->35         started        37 wab.exe 29->37         started        39 12 other processes 29->39 signatures13 process14 process15 41 conhost.exe 33->41         started        43 reg.exe 1 1 33->43         started        45 WerFault.exe 23 35->45         started        47 WerFault.exe 23 37->47         started        49 WerFault.exe 39->49         started       
Score:
75%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/98ac0a744497cf22f08ae5e2e49eba547253f7824b2a76ecfd7cf786dd1b34ce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98ac0a744497cf22f08ae5e2e49eba547253f7824b2a76ecfd7cf786dd1b34ce/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-03-20 03:39:31 UTC
File Type:
Text (VBS)
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tcwau5ces7hsf4ek4xrojhv2krzfh54cjmvhn3h5pt3ynxi3gtha._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/240321-vre73sef6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/98ac0a744497cf22f08ae5e2e49eba547253f7824b2a76ecfd7cf786dd1b34ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments